[Freeipa-devel] [RFC] Serving legacy systems cliens for trusts

[Sumit Bose]

On Mon, Jun 03, 2013 at 03:32:05PM +0200, Sumit Bose wrote:
> On Tue, May 28, 2013 at 02:50:59PM +0300, Alexander Bokovoy wrote:
> > Hi,
> > 
> > 
> > http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts
> > 
> > 
> > === CLI ===
> > 
> > The feature is not directly exposed in CLI.
> > 
> > IPA idrange management is expanded to specify idrange type (IPA local,
> > AD trust, AD with winsync, IPA trust, ..) to affect the way how AD users
> > SIDs are mapped to POSIX IDs.
> > 
> 
> Hi,
> 
> currently with algorithmic mapping we use user-private groups for all
> trusted user. This is in agreement with the defaults for IPA users and
> also matches with AD's RID handling because a single namespace for UIDs
> and GIDs is forced this way.
> 
> When adding support for UIDs and GIDs stored in AD we cannot do this
> anymore because AD (correctly) treats POSIX UIDs and GIDs as separate
> name spaces. As a consequence SSSD has to treat algorithmic mapping and
> IDs-in-AD mapping differently with respect to user private groups.
> 
> My question is, shall SSSD implicitly do the right thing based on the
> type of the idrange, or shall there be an extra attribute in the idrange
> object which explicitly says if the range has user private groups or
> not?
> 
> I think it is not needed because for both current mappings there is only
> one choice but maybe someone can think of a reason for such an
> attribute.

We discussed this a bit and came to the following agreement:
- no extra attribute is needed
- for all idranges type where IPA is assigning the ID user-private groups
  will be used (local IPA users, algorithmic mappings)
- for all idranges where the IDs are managed by external sources we use
  what we get

bye,
Sumit

> 
> bye,
> Sumit
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel